The Erident Custom Login and Dashboard plugin exposes a call to the update_option method, when a specific POST field is posted to the plugins setting screen.
No CSRF token is used, and as such if an Administrative user can be tricked into visiting a site with a malicious form, it is possible to trigger a Stored Cross-Site Scripting attack in the admin dashboard by utilising this unsafe method call.
The vulnerable method call is located on line 312 of erident-custom-login-and-dashboard/er-custom-login.php.

Copyright & License

Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.